Web Security – Everything we know is wrong Eoin Keary • CTO BCCRISKADVISORY.COM • OWASP GLOBAL BOARD MEMBER • Architect of edgescan.com HACKED 3 Target's December 19 disclosure 100+ million payment cards Snapchat: 4.6 million user records LoyaltyBuild November disclosure 1.5 million + records Globally, 2012 Cyber Crime every second, 18 • US $20.7 billion in direct losses • Global $110 billion in direct losses adults • Global $338 billion + downtime become victims of “The loss of industrial information and intellectual cybercrime property through cyber espionage constitutes the - Symantec greatest transfer of wealth in history” - Keith “One hundred BILLION dollars” Dr Evil Alexander Almost 1 trillion USD was spent in 2012 protecting against cybercrime Eoin, I didn’t click it – My Grandma “556 million adults across the world have first-hand experience of cybercrime -- more than the entire population of the European Union.” Its (not) the $$$$ Information security spend Security incidents (business impact) ……we are approaching this problem [software <in>Security] completely wrong and have been for years….. Asymmetric Arms Race A traditional end of cycle / Annual Penetration testonly gives minimal security….. There are too many variables and too little time to ensure “real security”. Two weeks of ethical hacking Business Logic Flaws Security Errors Code Flaws Ten man-years of development Make this more difficult: “Lets change the application code once a month.” • Continuous Security Assessment Approach: time Security is changing…. From – Securing mission critical assets. – Point in time Assessments. – Appliances/Software licenses and staff to manage perimeter. To – Securing all assets. – Frequent scheduled assessment of all assets. – SaaS Security "Risk comes from not knowing what you're doing." - Warren Buffet Time Limited: Consultant “tune tools” Use multiple tools – verify issues Customize Attack Vectors to technology stack Achieve 80-90 application functionality coverage A fool with a tool, is still a fool”…..? Experience As good as the bad guys? Code may be pushed frequently: Erosion of Penetration test? Window of Exploitation? Tools with Tunnel Vision: Problem has moved (back) to the client. Some “Client Side” vulnerabilities can’t be tested via HTTP parameter testing. AJAX Flex/Flash/Air Native Mobile Web Apps – Data Storage, leakage, malware. DOM XSS – Sinks & Sources in client script -> no HTTP required Scanning in not enough anymore. We need DOM security assessment. - Javascript parsing/ Taint analysis/ String analysis/manual validation window.location = http://example.com/a/page.ext?par=val#javascript&#x3a;alert(1) jQuery.globalEval( userContent ): http://code.google.com/p/domxsswiki/ “Onions” SDL Design review Threat Modeling Code review/SAST/CI Negative use/abuse cases/Fuzzing/DAST Live/ Ongoing Continuous/Frequent monitoring / Testing Manual Validation Vulnerability management & Priority Dependency Management …. “Robots are good at detecting known unknowns” “Humans are good at detecting unknown unknowns” CI (Continuous Integration) Code changes invoke SAST Build Pass/Fails SAST Rules control Rule Tuning False Positive Tuning Framework awareness You are what you eat Cheeseburger Security We know they are bad for us, but who cares, right? If we eat too many we may get a heart attack? …sound familiar We also write [in]secure code until we get hacked The Cheeseburger approach: “Cheeseburger risk’ is the kind of risk you deliberately take even knowing the consequences, until those consequences actually come to pass.” Software food chain COTS (Commercial off the shelf Application Code Outsourced development SubContractors Third Party API’s Bespoke outsourced development Third Party Components & Systems Bespoke Internal development More Degrees of trust Less You may not let some of the people who have developed your code into your offices!! 22 2012- Study of 31 popular open source libraries. - 19.8 million (26%) of the library downloads have known vulnerabilities. - Today's applications may use up to 30 or more libraries - 80% of the codebase Spring - application development framework : downloaded 18 million times by over 43,000 organizations in the last year. – Vulnerability: Information leakage CVE-2011-2730 http://support.springsource.com/security/cve-2011-2730 In Apache CXF– application framework: 4.2 million downloads.- Vulnerability: high risk CVE2010-2076 & CVE 2012-0803 http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf http://cxf.apache.org/cve-2012-0803.html Do we test for "dependency“ issues? NO Does your patch management policy cover application dependencies? Check out: https://github.com/jeremylong/DependencyCheck Bite off more than we chew “We can’t improve what we can’t measure” How can we manage vulnerabilities on a large scale…. Say 300 web applications: 300 Annual Penetration tests 10’s of different penetration testers? 300 reports How do we consume this Data? Enterprise Security Intelligence: Consolidation of vulnerability data. Continuous active monitoring Vulnerability Management solutions Delta Analysis is Key: Initial testing is most work. Subsequent testing is easier we focus on delta/change. Metrics: We can measure what problems we have Measure: We cant improve what we cant measure Priority: If we can measure we can prioritise Delta: If we can measure we can detect change Apply: We can apply our (limited) budget on the right things Improve: We can improve where it matters…… Value: Demonstrate value to our business Answer the question: “Are we secure?” <- a little better Information flooding (Melting a developers brain, White noise and “compliance”) Doing things right != Doing the right things. “Not all bugs/vulnerabilities are equal” (is HttpOnly important if there is no XSS?) Context is important! Contextualize Risk (is XSS /SQLi always High Risk?) Do developers need to fix everything? - Limited time - Finite Resources - Task Priority - Pass internal audit? Dick Tracy White Noise Compliance There’s Compliance: EU directive: http://register.consilium.europa.eu/pdf/en/12/st05/st05853. en12.pdf Article 23,24 & 79, - Administrative sanctions “The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0.5 % of its annual worldwide turnover, to anyone who, intentionally or negligently does not protect personal data” …and there’s Compliance Clear and Present Danger!! Update: Kinder eggs are now legal in the USA. You’re Welcome!! Problem Explain issues in “Developer speak” (AKA English) Is Cross-Site Scripting the same as SQL injection? Both are injection attacks -> code and data being confused by system. LDAP Injection, Command Injection, Log Injection, XSS, SQLI etc etc XSS causes the browser to execute user supplied input as code. The input breaks out of the [data context] and becomes [execution context]. SQLI causes the database or source code calling the database to confuse [data context] and ANSI SQL [ execution context]. Command injection mixes up [data context] and the [execution context]. To Conclude…. We need to understand what we are protecting against. We need to understand that a pentest alone is a loosing battle. You can only improve what you can measure Not all bugs are created equal. Bugs are Bugs. Explain security issues to developers in “Dev speak” Thanks for Listening eoin@bccriskadvisory.com Eoin.Keary@owasp.org @eoinkeary www.bccriskadvisory.com © BCC Risk Advisory Ltd 2013 .. All rights reserved.